This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers, click the "Reprints" link at the top of any article.

Risk, Legal Departments Team Up on Threats

Risk managers talk about their top legal challenges and how they work with their legal departments.

To successfully protect their organizations in an increasingly risky and litigious world, it’s imperative that risk managers and in-house counsel partner closely with each other. NU spoke with several members of our Risk Managers Advisory Board to hear about the most pressing challenges their legal and risk departments are working collectively to solve; and to get their advice on how risk managers can most effectively communicate with their attorney colleagues.

Karl Zimmel Director, Risk Management Services UniSource Energy Corp.

What are the top issues this year that UniSource’s risk-management department is working closely with your organization’s legal department to address?

To develop a policy and procedure regarding how to respond to customers and employees potentially affected by a database breach; and developing a process to preserve claim investigations as attorney-client privileged information.

At UniSource, how do you communicate with the legal department in identifying issues and addressing them collectively?

I work more closely with our general counsel on a daily basis than with any other officer. I primarily work with legal on claims, contracts and various laws. Risk management self-administers liability claims; legal doesn’t formally get involved until they are litigated. However, informally I keep them advised of significant claims prior to litigation in order to both seek consultation and get them prepared if they go into litigation.

I also use the legal department’s research regarding risk identification and new issues. For example, in my development of procedures to handle potential data breaches, I asked legal to provide me research on our regulatory requirements for notifying those who may have been affected by a data breach. However, it is just one of several departments risk management needs to work with to complete the project. We will also be working with IT, customer service and our [executive] group on this project.

What advice can you give to other risk managers about the most effective way to interface with the legal department?

I have found at many different employers, corporate attorneys rarely have an in-depth understanding of insurance because it is rarely addressed in law school. Therefore, risk managers need to have confidence to step up as the insurance expert and not be intimidated by attorneys when addressing insurance matters.

It’s helpful to educate corporate counsel on the basics of insurance such as first-party versus third-party coverage, subrogation, etc. When advising why you take a particular position regarding insurance language in a contract, it helps to explain how an insurance policy will respond to specific loss scenarios. That’s when the light bulb goes off for attorneys.

Handling insurance education with corporate counsel can make or break your relationship. It needs to be done without being condescending or confrontational. If you initially approach counsel in a friendly, helpful manner, they will often admit they don’t understand insurance but appreciate your expertise, and it will be the start of a very good, long-term relationship. Conversely, risk managers need to admit to legal when they need help understanding some legal and/or important regulatory principles that will be the foundation for many future transactions.

William MontanezDirector, Risk Management Ace Hardware

What are the top issues of 2012 that Ace’s risk-management department is working closely with your organization’s legal department to address?

Most of our legal issues are focused on vendor-indemnification agreements and contractual reviews. The risk manager reviews any significant contract that comes through Ace’s doors, whether a contract for materials that we purchase for resale or services that we purchase for IT, consulting, etc. Ace Hardware has a process that reviews the risk implications of every significant contract, and the legal department does the final review on the contract.

How do you communicate with the legal department in identifying issues and addressing them collectively?

We interact with the legal department from an insurance and contractual-compliance point of view, and the legal department notifies us about a case or a suit that is being filed where we need to get involved to explain our insurance policies and coverage triggers.

We communicate regularly and often with the members of our in-house legal team. We respect each other’s expertise; we know what the legal department’s viewpoint is, and vice versa. As we are fond of saying: “We don’t practice law, and they don’t practice risk management,” but we always consult one another.

Can you talk about an example where the two departments successfully worked through a situation with both legal and risk-management implications?

We introduced a Cyber Liability policy a little over four years ago that we developed with the IT team. We sat down with the legal department and discussed the various coverage triggers of the policy.

What advice can you give other risk managers about the most effective way to interface with the legal department?

Both the risk-management and legal department have to understand that there is value in both processes, although there are also borders between them. Make sure that everyone has the right motivation in place, because at the end of the day, our overlap is that we are both trying to protect the company. The workflow and relationships don’t develop overnight, but they eventually will if you are both willing to be transparent and open.

Michael LiebowitzDirector of Risk Management and Insurance New York University (NYU)

What are the top issues this year that NYU’s risk-management department is working closely with your organization’s legal department to address?

The overarching issue is to get all of NYU’s contracts through review by the legal department and risk-management office. Many contracts bypass review and are signed by people who are unauthorized to do so. We’d love to make this a mandate, but then people would be loathe to comply. So from a grassroots perspective, we’d like to get people to understand why bringing contracts to both departments is important—because we can explain their repercussions, [potential] losses and risk-transfer mechanisms.

How are you working with the legal department to manage Cyber risk?

Cyber risk is a three-pronged issue that belongs to the legal department for licensing and IP agreements; the risk-management departments for the evaluation of exposure; and, of course, our IT people, the real owners of that risk. It also ropes back around to our third-party cloud [vendors], who are legally responsible for providing the policies and security procedures to protect our data that lives in their hardware.

At NYU, how do you communicate with the legal department in identifying issues and addressing them collectively?

It’s a collaboration. We talk amongst ourselves in “legalese,” but the key is to get each party to put things down to a language we both understand. The general counsel and I sit down and talk about our bifurcated issues. I don’t step into [legal] terms, and they don’t step into indemnity, but we come out with an agreement that is going to protect our organization. Unfortunately, we do sometimes have to walk away from a vendor because of indemnity and insurance provisions. The two pieces of legal and insurance have to come to an agreement as a single unit. If they don’t, that contract cannot move forward.

What are the top issues this year that Advocate Health Care’s risk-management department is working closely with your organization’s legal department to address?

Health-care reform is obviously a huge focus from a provider perspective, and it is also a major focus from a risk-management perspective. Now that the Patient Protection and Affordable Care Act (PPACA) has passed the Supreme Court’s scrutiny, it is important for health-care risk managers to recognize the implications PPACA may have on their insurance coverage, actuarial analysis and scope of services.

Insurance coverage will likely be impacted by the potential for increasing claims in the Errors & Omissions, Directors & Officers and Institutional Negligence arenas.

Merger-and-acquisition activity is also on the rise across the health-care sector as consolidation proves to be a potential solution in response to PPACA for hospitals as well as physicians. This means the health-care risk manager must have a seat at the table during due-diligence analysis and must provide viable and valuable solutions to meet the strategic needs of his or her institution.

Although due-diligence analysis is essential, the work of M&A does not end with due diligence; it begins there. The real challenge for health-care risk managers is 1) the integration of two insurance portfolios into one comprehensive program; and 2) the cultural transformation necessary for two independent entities to integrate into one successful health-care program.

What advice can you give to other risk managers about effectively interfacing with the legal department?

I am a lawyer, so perhaps it is naturally easier for me to interact with the legal department, but it should be easy for everyone.

First, I believe it is important to present issues to the legal department only after you have conducted your own due diligence. This way when you are asked specific questions, you will be prepared to answer in a meaningful way.

Furthermore, I believe it is essential to come to the legal department with potential operational solutions already identified. This ensures that the attorney not only has the background information but also understands the direction in which you want to proceed. Once the lawyer understands these two points, it is easier for him or her to explain the most efficient and effective method to achieve your goal.

Remember to begin your interaction with your legal department with the end in mind: What do you want? If you want legal advice on a proposed solution, then you need to bring a solution that has enough substance for the attorney to opine. If you want options to overcome an operational challenge, make sure that you have all the current information on the operation and its challenges. It is important to remember that the legal department wants to support you in identifying creative and proactive solutions to eliminate or mitigate risks and advance the operations of the organization.

Gary PearceVice President, Risk Management Group Kelly Services Inc.

What are the top issues this year that Kelly Services’ risk-management department is working closely with your organization’s legal department to address?

Compliance and globalization are the top issues. Compliance is focused on wage-hour risk, employment eligibility, screening practices and safety management.

At Kelly, how do you communicate with the legal department in identifying issues and addressing them collectively?

As for communication with our legal [department], we saw a compelling need for close collaboration in this regard—and so did our executive management. As a consequence, a few years ago we consolidated our legal, risk, safety, security, workers’ compensation and unemployment functions into one organization known as the Law and Risk Management Division.

We saw substantial initial advantages in customer-contract management and in launching an ERM program. But now this integration also spans many other issues such as liability-claim management and legal/risk support of new-product development.

Our staffs are co-located, which not only [fosters] daily collaboration but also affords cross-training and enrichment opportunities that might not otherwise exist. We also report to the General Counsel.

What advice can you give to other risk managers about the most effective way to interact with the legal department?

Risk managers often interface with legal staff under the unspoken presumption of being the junior party in the relationship. Consequently, there is an elevated need for personal credibility on the part of the risk manager: More than simply having a very strong understanding of business and legal principles, the risk manager needs to bring distinct and accretive skills to the table. Effective risk managers can anticipate legal issues and are able to lead the legal/risk dialogue, yet perform effectively in a supportive or consultative role when appropriate.

Treasury & Risk

Treasury & Risk is an online publication and robust website designed to meet the information needs of finance, treasury, and risk management professionals. Our editorial content, delivered through multiple interactive channels, mixes strategic insights from thought leaders with in-depth analysis of best practices, original research projects, and case studies with corporate innovators.